[rl3]

While I tend to agree with catastrophically steep penalties, there are perhaps unintended consequences.

It wouldn't be hard for an APT type shop to breach just about any average corporation using an arsenal of private exploits, fuck with their security configuration to make it look like gross incompetence, and exfiltrate the data to some seemingly-amateur front organization that actually leaks it.

End result is you could have foreign actors knocking out their country's competition abroad, using their competitor's laws to do so. Not ideal.

Maybe some determination would have to be made to avoid that, like a judgement rendered on the corporate culture. For example, is it obviously a cesspool of incompetence just in a general sense? Great, burn the company down.

Does the company custom-design their own ARM hardware to at least have a fighting chance vs APT-type threats? Maybe they did everything they reasonably could in that case. You could also argue smaller companies did everything they could even if they don't have the resources for that, provided there's not rampant incompetence.

[r00fus]

Well, it could be in the case where it looked like sabotage, I'd expect the victim company to go to great lengths to prove it (ie, evidence to the contrary, etc). It probably wouldn't be that hard.

In this case, it was a spyware company. Seems almost fitting that they'd be unconcerned about securing data that was essentially tricked/stolen from their users.

[rl3]

If the APT is good enough, you're talking forensically not provable.

[macintux]

You missed step 0 in this scenario where steep penalties are the default: short the stock.

[rl3]

The market will overlook anything if the company is still profitable. That's where regulatory penalties shine.